A Scheduled View reduces aggregate data down to the bare minimum, so they contain only the results that you need to generate your data. Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run. And a Scheduled View query runs continuously, once per minute.

Always use an aggregate operator. This will allow you to avoid duplicating data.

Also, keep the following things in mind when you're creating Scheduled View queries:

Avoid using queries that are likely to change. A key benefit of using Scheduled Views is that they can index historical data, allowing you to identify long-term trends. If a query changes, you may lose some of the historical perspective.

Keep the query flexible. Using a flexible query, like _sourceCategory=*Apache* so that metadata changes don't break the query.

Consider using fields with more general values (fields with less specificity). For example, you'd want to use "country" and "city" fields instead of "latitude" and "longitude".

Use Partitions.Partitions allow you to reduce your query time even more.

Use more groups. Plan for flexibility by including more groups. However, test your Scheduled View definition to understand how much additional data that extra groups will create.

What types of operators are supported in Scheduled Views?

Scheduled Views are defined by a query, with the search results being indexed.

Due to the way data is indexed in Views, only the following operators are supported:

Non-aggregate operators

Ceil

Concat

CSV

Fields

Format

FormatDate

JSON ('auto' option is not supported)

Keyvalue

Length

Lookup

Matches

Now

Parse

Parse regex, or extract

Predict

Replace

Round

Substring

Timeslice

ToInt/ToLong

Where

Withtime

Do not use the Pct or Avg operators: they do not yield accurate results. Because the query only runs over a one-minute time range (every minute), there are not enough data points to give an accurate sampling.

Aggregate operators

Count

Min

Max

Sum

Scheduled View Validation

Scheduled View validation works this way:

If the query is a non-aggregate query, then only operators from the non-aggregate list are allowed.

If the query is an aggregate query, then all of the operators before the first "group by" statement must be non-aggregate. Then all operators are allowed after the first "group by" operator.

The following operators do not yield reliable results when used against a Scheduled View, but below are some alternative methods to obtain values:

Average.
This can be calculated by taking the sum over timeslices and dividing by the total count.

Count_Distinct, First, Last, Min, Max, Most_Recent, Least_Recent, Pct, Stddev, "Math Values", and RollingStd.
Create the Scheduled View with a count operator to count by the fields you want to aggregate with instead of the unsupported operator. Then you can reference the View and run the aggregation you want.

Notice the parse statement will drop any log entries that do not contain the 192.* internal IP string from the _sourceCategory. This will create a smaller subset of data that may be more appropriate for a Scheduled View. If you were searching through all of the IIS logs on a regular basis, a partition may be a better solution to improve query performance.

Lightweight vs Robust Scheduled View

This Scheduled View query is lightweight, and contains only one group:

_sourceCategory=prod/web/iis | timeslice 1m | count by _timeslice

which would produce results like:

Compared to this Scheduled View query, which is more robust, but five times heavier with one additional column:

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.